[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Time Invariant String Comparison
- From: Dirk Laurie <dirk.laurie@...>
- Date: Fri, 17 Jan 2014 12:08:53 +0200
2014/1/16 Jason A. Donenfeld <Jason@zx2c4.com>:
> Over at cgit [1] we use Lua for our authentication framework [2]. One
> thing we're doing wrong is lines like these:
>
> if password == post["password"] then
>
> Since an attacker can control the post params, this test is vulnerable
> to a timing attack, by which an attacker could determine the password
> one character at a time by analysis of response time.
>
> What I'm looking for is some clever way in Lua to compare two strings
> in a time invariant way. Any suggestions?
By now, you have had many replies, the common denominator being:
Lua string comparison _is_ time invariant unless the strings are very
long.
It has also been suggested, in effect, that your code should be
saying
if encrypted_password == encrypt(post.password) then
You could also have cryptography at both ends:
1. Client sends a request to authenticate.
2. Server sends a message together with the request: calculate
encrypt(message,key) using your secret password as key,
and send me the result. While waiting for the response, server
does the same calculation.
3.Program does
if encryption == post.encryption then
This will mean that unencrypted passwords never physically
travel along the communications line.
Of course, your 'encrypt' function should not afford a way of
recovering a key from a plaintext/cyphertext pair.
Yes, yes, tools like openssl offer this service transparently, but
some people are paranoid.